J3.x:Backward Compatibility in Joomla 3.4.7

From Joomla! Documentation

Revision as of 07:40, 22 December 2015 by FuzzyBot (talk | contribs) (Importing a new version from external source)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Other languages:
Deutsch • ‎English • ‎Nederlands • ‎español • ‎français

What has changed?

Starting from version 3.4.7 Joomla uses a base64-encoded data container to save session data in favor of saving the data in plaintext in the global $_SESSION.

Basically, Joomla switched from

function set($key, $value, $namespace)
  $_SESSION[$namespace][$key] = $value;


function set($key, $value, $namespace)
  $this->data->set($namespace . ‘.’ . $key, $value); 
  $_SESSION[‘joomla’] = base64_encode(serialize($this->data));

Why has this been changed?

This was required to work around a critical PHP bug fixed in September 2015. The bug creates several attack vectors connected to plaintext, user-supplied data saved in a session.

Will my extensions continue to work?

We have 3 scenarios here:

Scenario 1 - You’re already using JSession: In this case you’re perfectly safe because the API of JSession hasn’t been changed. The session encoding has been implemented transparently, so no changes to your code are required.

Scenario 2 - You’re using $_SESSION to read or write your own, extension-specific data: In this case your extension will continue to work. The new code doesn’t touch any other data in the global $_SESSION variable.

Scenario 3 - You’re using $_SESSION to read or write general data shared with Joomla or other extensions: In this case your extension will break because the internal structure of $_SESSION has been changed. An easy fix is to use JSession to replace direct usages of $_SESSION.